How important is it for AMPs to maintain appropriate AML records?

How important is it for Art Market Participants (AMPs) to maintain appropriate AML records?

Written by Rena Neville, Lead AML Consultant, FCS Compliance, Art Division

The short answer? It is very important to keep appropriate AML records, as failure to do so may be a crime. The following Q&A delves into this further:

Is HMRC permitted to ask to see our AML Programme Records? If so, what types of records might they ask to see?

Yes, HMRC may ask to review AML Programme Records as part of an Intervention, also known as an audit.

One likely request from HMRC would be to ask to see the AMP’s Know Your Client (KYC) and Customer Due Diligence (CDD) documents and information (records).  These types of records include, without limitation, records of KYC and CDD as well as the nominated officer’s (NO) / money laundering reporting officer’s (MLROs) decision-making with respect to filing or not filing a SAR, and reasons for proceeding or not proceeding with a transaction.

In addition to records generated in connection with or received from customers, adequate record keeping should include internal communications.  These could include records of reports made by staff and/or those presented to senior leadership by the NO/MLRO.  This in addition to records of any subsequent action taken as part of ongoing monitoring of a business relationship or of a transaction involving a high-risk client, high-risk jurisdictions, politically exposed person (PEP), and/or suspicion of money laundering (ML) or terrorist threat.

External communications with third parties such as with law enforcement or suspicious activity reports (SARs) should also be maintained.

Finally, AMPs are required to maintain records of annual AML training sessions, including information about attendees and the content.  Generally, any internal information that may affect the annual Risk Assessment should also be recorded.

How and for how long must AML records be kept?

AML records should be kept securely and separately from routine client files.

Some of the records should be kept for at least five years from the date of the transaction.  These include information gleaned from CDD and obtained in connection with Business Relationship Clients (those with an immediate expectation of repeat business).  However, for Business Relationship Clients, an AMP need not keep records longer than ten years from the end of the relationship.

Records that generally should be kept for a “reasonable period of time” include training records, internal reports and external reports.

Upon the expiry of the five-year or reasonable period, as applicable, it is important to delete personal data unless

  • retaining the records is required by, or under, any enactment, or for the purposes of any court proceedings; or
  • the AMP has reasonable grounds for believing that such records need to be retained for the purpose of legal proceedings, or
  • the data subject consents to the retention of the information

Does keeping client personal data as part of CDD breach data protection obligations?

Although there is an apparent conflict between data protection and AML obligations, under the UK ML Regulations, AMPs are permitted to ask for and store personal date to comply with the ML Regulations, consistent with data retention requirements.  Some of the data protection requirements include not using the personal data for competitive or commercial reasons; as well as ensuring staff are trained how to comply with data protection obligations.


Article published: April 2023